This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

Using Acegi

Mar 12th, 2007, 06:05 AM

Hi All

I've been working on re-vamping my final year project using Spring. I'm now looking into security and thought about using Acegi for securing the application.

The project is broken into two "components", component 1 contains layered module that connects to a database and contains the service layer for clients to use. The second part is the web component. Now the question I have (probably more of an acrhitectural question i think) is do i place the acegi stuff in component 1 or in do i create the bean definition in the web part?

Not sure if that made sense...please let me know if you need more info.

Personally I think you need both. FilterSecurityInterceptor for the web tier and MethodSecurityInterceptor for the service layer. If you have any more details on what you are trying to do, post back and I'll try and help some more.http://acegisecurity.org/multiprojec...terceptor.html

Comment

Hi there! Thanks for getting back to me. Basically here is what i am trying to do:

Use acegi to authenticate users into the web application. There is a login page and i want to make sure that the person who is trying to access the application has permission. I'm not sure I can set the authentication levels in acegi, for example there are only certain members who can create, update and delete asset details. Now do i set access on the url level e.g. restrict access using filters based on the url (createAsset.do) or do i set it up on the method invocation level which would mean that it was reside on the backend component level.

You mentioned that I should apply it to both parts but if i apply it to the model component then does it mean i would need to set something up in the web part?

Have you had a look at the acegi-security-sample-tutorial example that ships with Acegi? This already covers the logon and URL securing you are after. So this covers your basic /secureURL.do style security. If you also declare method based security on your service layer then this covers all aspects of it.

Comment

Not sure if this has been covered. But when the user first logs in then i want him/her to be taken to the main menu page. But when the session expires then the login page needs to be displayed. When the user logins again then he/she needs to be taken to the original place where they came from. If i put the mainmenu.do in the defaultUrl definition will the user always be taken to the mainmenu.

which would answer this question immediately, as well as giving you information on how to specify that you always want to go to a particular url. Searching the forum for defaultTargetUrl will also give you a lot of different discussions on the use this property.

Comment

The other thing i noticed was that i had set up a resource to have the following:

/secure/test.jsp=ROLE_ADMIN

And in the user details I had set up

aminmoco=password,ROLE_USER

The login in component works fine, so if i enter an incorrect username and password then i am directed back to the login page with an error message being displayed. The problem is that i get through the login page to the test.jsp but that's not right as my access control is ROLE_USER not ROLE_ADMIN. I've been using the examples from the acegi sample war and the configuration files are pretty much the same e.g. they have the necessary bean definitions.

Not sure what i'm doing wrong. I'll post my applicationContext.xml file when i get home, currently at work.

Comment

I used the debug.jsp that is apart of the tutorial and it seems as though the authentication object is null. The debug page is really helpful. The login page logs me in but does not set up the access control. I'm gonna look into this further.

For the tutorial it comes as war file. I'm deploying my app on Jboss so i can see the expanded version in the tmp/deploy directory. I've been using the context file provided with the example.

This is becoming a blog!

Comment

The action for my login page is j_acegi_check. I'm currently at work so i can't rememeber what the entry is in the web.xml. I can post it later when i get home. Otherwise I've been using the sample tutorial web.xml file from the acegi site. Have u found the tutorial?